back to article It's 2015 and a RICH TEXT FILE or a HTTP request can own your Windows machine

Microsoft has delivered its latest monthly batch of security updates to address flaws in Windows, Office and Internet Explorer. Redmond's latest Patch Tuesday payload includes 11 bulletins, four of which are rated critical as they allow attackers to execute malicious code on victims' computers from across the internet. The …

  1. elDog

    Flash Player - or a Prayer?

    How is it that one simple application can be so tremendously vulnerable? I can see the surface area of an entire OS such as Windows having lots of vectors, but a simple PDF reader?

    I use Foxit software whenever I can but various browsers seem to want to drag in Adobe's products. I'm almost more afraid to apply their hastily-assembled patches than Redmond's. And yet I'll update my Linux distros with nary a concern. Backups before most major ones, of course.

    1. Chris 244

      Re: Flash Player - or a Prayer?

      I think you are confusing Adobe Acrobat with Adobe Flash Player. One opens PDFs the other opens up a world of hurt.

    2. Shannon Jacobs
      Holmes

      Re: Flash Player - or a Prayer?

      That's exactly what I was going to ask. It's not just the monthly patches, but I'd estimate they average an update every week--and the Flash Player still crashes several times a day. That's going back as long as I can remember. How is it POSSIBLE to produce such buggy software and FAIL to fix it for so long?

      As regards the Microsoft patches, I'm just getting overwhelmed by the sheer size of them. If you have Office 2013 installed, then this month's patches ran over a gigabyte. Also problems with the emergency patches from Microsoft--there were at least two or three of them that just went in in the last week...

      AMAZING. Can you imagine they could distribute such buggy software if they they were actually liable for the damages caused by their bugs? Me neither.

      1. Anonymous Coward
        Anonymous Coward

        Re: Flash Player - or a Prayer?

        The Flash player plugin in Firefox is crashing several times a day. guess that's what you are using?

        Ever heard of Shumway? It's Mozilla's coming replacement for Flash player. I can recommend testing it. It's not 100% working yet, but looks promising.

      2. Peter G Green

        Re: Flash Player - or a Prayer?

        Call me an old fuddy duddy, but the last good version of Office was 2003. Still using it, still works. Turn off macros and enjoy fast document processing. It installs in seconds, takes very little time to configure, everything is where it should be. I got off the whole "You Must Upgrade Your Office Software Every 2 Years" train many, many years ago :-)

        PS. I will now wait for replies calling me a fuddy duddy. I know, I asked for it..

        1. Pascal Monett Silver badge

          LibreOffice does everything I need it to, and it's free.

    3. Adam 1

      Re: Flash Player - or a Prayer?

      Also, you may want to rethink your choice of PDF viewer now they bundle open candy malware.

    4. Annihilator

      Re: Flash Player - or a Prayer?

      Are people still using Flash?? Can we not just kill it now? I write-off any website that still insists on using it. It does amuse me that Adobe and users were up in arms when Apple refused to let it run on iOS due to crap performance and security, yet it's still a steaming pile nearly 8 years later.

      1. Loyal Commenter Silver badge

        Re: Flash Player - or a Prayer?

        Easy solution (in Firefox at least):

        Tools - Add-Ons - Shockwave Flash - Change the drop-down to 'Ask to activate' and only activate it on those websites that won't work without it, and even then, think about whether you need to use that site...

    5. batfastad

      Re: Flash Player - or a Prayer?

      @elDog Ditch that Foxit adware... Check out SumatraPDF :)

    6. Tom 13

      Re: one simple application can be so tremendously vulnerable?

      Simples: the app opens all/most/many of the OS interfaces without doing any of the bounds checking/sandboxing the OS does. This is the essential problem with Flash/Java/Reader. As mere rendering devices none of them would have half the problems they do. BUT, they aren't mere rendering devices. Each of them incorporates user input and OS processes to manipulate data.

  2. gollux

    So, I had to deploy a brand new Windows 8.1 workstation the other day and by the time I got through, Microsoft had downloaded 1.8G of patches to install... Begs the question, where's the service pack to help prevent this? Oh, wait, we'll be getting Service Pack X (Windows 10) soon.

    My question, after the same period of time after release, is Spartan going to be coming home on its shield?

    1. SecretSonOfHG

      Don't forget that Spartan will surely add some more patches on top of whatever else there is today...

    2. Anonymous Coward
      Anonymous Coward

      "Oh, wait, we'll be getting Service Pack X (Windows 10) soon."

      Judging on past practice RTM and public release will be little more than extended beta testing. Enterprises will wait for the inevitable SP1, and still there will be regular Gb+ patch sessions. Of course Spartan will be vulnerable - even if (which I doubt) it were ground up new build, it is evident that Microsoft simply cannot design and write secure code.

      I concur with the complaints of other commentards but project this forward to Windows 10: So for ten months time "How have Microsoft produced a package of such vulnerable code, when so much of it is recycled and has been around since what, Server 2003?"

      1. Anonymous Coward
        Anonymous Coward

        Please, indicate me someone who can design and write secure code and doesn't need to release patches...

        1. Anonymous Coward
          Anonymous Coward

          I don't think the issue is the release of patches, but the sheer size of them.

          1. Bronek Kozicki

            ... and the long, long process of applying each one of them, with obligatory multiple restarts in the middle of the process. As opposed to installing one service pack (whose total size is a fraction of total size of patches) which applies all patches in one go.

            1. This post has been deleted by its author

              1. Bronek Kozicki
                Mushroom

                I guess you only installed first batch of updates and forgot to press "Check for updates" to see a whole lot more updates for the updated "Windows update". Among which will be second update to "Windows update" after which you will have to restart, and again will be blissfully unaware that you are not even half-way through the process. Because that's the Microsoft Way, doh.

          2. Tom 13

            Not just the size of them, the fact that they DON'T release service packs the way they use to. About once a year you got an SP. If you kept the SP on hand, you could take a .0 and patch it up to the SP without all that mucking about with scanning, downloading, installing, rebooting, and repeating until no new patches are found. AND there were no mysterious failures to install patches the system indicates need to be installed.

    3. Anonymous Coward
      Anonymous Coward

      Service packs today are delivered only to augment features or other deep changes. Everything else comes with patches - that's why WSUS is handy. There's also slipstreaming....

  3. jake Silver badge

    Whatever.

    Slackware on the desktops, BSD on the servers & routers.

    It's not only a good idea, it should be the law.

  4. Stevie

    Bah!

    Yes, I know about the Adobe update because the bloody thing flatlined my already glacially slow personal hotspotty internet connection while I was trying to kick into the latest Schlock Mercenary venture and download some things into mi'Raspberry Pi2.

    Yet another chance for McAffee to attempt to smuggle their crappy anti-virus program onto my lappy and for yet another mysterious appearance of the unwanted, unasked-for Ask Toolbar.

    And why does a security update necessitate re-agreeing to the ToC? Shouldn't some sort of carry-through be assumed from the fact that one has a vulnerability-riddled copy of the said software on the computer already (else why update)?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like